TechSpot

Search engine redirect, 8 steps included

By preston67
Sep 18, 2010
  1. All of my search engines redirect 75% of the results links to random adware sites.
    I have ran the 8 steps. Avira anti-virus kept reporting TR/Cryp.XPACK.Gen2, but could not remove it even in safe mode and in fact computer would usually become unstable after it tried to remove them. Avira also seemed unstable constantly popping up a corner window warning about these but unable to resolve it.

    Thanks in advance for any help.


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4636

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.18943

    9/17/2010 12:01:58 AM
    mbam-log-2010-09-17 (00-01-58).txt

    Scan type: Quick scan
    Objects scanned: 167122
    Time elapsed: 14 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{3541dacd-016c-f3a6-84f5-2ec457a3b36f} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\sysservice.dll (Backdoor.IRCBot) -> Quarantined and deleted successfully.
    C:\Users\owner\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

    GMER log
    =========
    Rootkit scan 2010-09-17 08:35:23
    Windows 6.0.6001 Service Pack 1
    Running: wjb6nmcz.exe; Driver: C:\Users\owner\AppData\Local\Temp\kwlcapow.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\Explorer.EXE[1076] kernel32.dll!CreateProcessInternalW 764198DD 5 Bytes JMP 0078874A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74BE88B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74C298A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74BEB9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74BDFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74BE7A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74BDEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74C1B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74BEBC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74BE074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74BE06B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74BD71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74C6D848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74C07379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74BDE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74BD697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74BD69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74BE2465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bdcbfde
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bed307a
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6bdcbfde (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6bed307a (not active ControlSet)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. preston67

    preston67 TS Rookie Topic Starter

    DDS

    =================================
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by owner at 18:13:18.54 on Fri 09/17/2010
    Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.822 [GMT -7:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\system32\schtasks.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Windows\vsnp2uvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
    C:\Program Files\Verizon\McciTrayApp.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\lkcitdl.exe
    C:\Windows\system32\lkads.exe
    C:\Windows\system32\lktsrv.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\Verizon\VSP\ServicepointService.exe
    c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Mail\WinMail.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\msiexec.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\explorer.exe
    C:\cleanup\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/
    uSearch Bar = Preserve
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Browser protection: {fb9ffb4b-9680-4256-8178-5ecdb2c19b23} - c:\progra~1\spynom~1\SNMIEG~1.DLL
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [PC Hardware Manager] c:\program files\pc hardware manager\PCHardwareManager.exe
    mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [SDActiveMonitor] c:\program files\spywaredetector\SDActiveMonitor.exe -AUTO
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
    mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    Trusted Zone: att.com\*.vpn
    Trusted Zone: att.com\www.e-access
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://cassl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://cassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
     
  3. preston67

    preston67 TS Rookie Topic Starter

    Dds2

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\b82lmtqd.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\verizon\vsp\nprpspa.dll
    FF - plugin: c:\users\owner\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {9398FD24-58F0-47BA-A72E-0EB27CFDB872} - c:\users\owner\appdata\local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
    R3 asusledbt;ASUS Bluetooth LED Device Driver;c:\windows\system32\drivers\asusledbt.sys [2007-8-28 24880]
    R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2007-8-28 858112]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2007-8-28 28464]
    R3 CFXPDisplayName;CFXPDisplayName;c:\windows\system32\drivers\CFACPI.sys [2007-8-28 7680]
    R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-8-28 366080]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-10 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-10 35272]
    R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-9 34248]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-10 40552]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]

    =============== Created Last 30 ================

    2010-09-17 06:41:15 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
    2010-09-17 06:40:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-17 06:40:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-17 06:40:45 0 d-----w- c:\programdata\Malwarebytes
    2010-09-17 06:40:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-17 02:52:07 65536 --sha-w- c:\users\owner\ntuser.dat{6382b99c-c206-11df-9a3e-001a6bed307a}.TM.blf
    2010-09-17 02:52:07 524288 --sha-w- c:\users\owner\ntuser.dat{6382b99c-c206-11df-9a3e-001a6bed307a}.TMContainer00000000000000000002.regtrans-ms
    2010-09-17 02:52:07 524288 --sha-w- c:\users\owner\ntuser.dat{6382b99c-c206-11df-9a3e-001a6bed307a}.TMContainer00000000000000000001.regtrans-ms
    2010-09-17 01:34:20 0 d-----w- C:\cleanup
    2010-09-16 14:03:17 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-09-15 09:39:23 501760 ----a-w- c:\windows\system32\usp10.dll
    2010-09-15 09:39:19 126464 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-15 09:39:12 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2010-09-15 09:39:06 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2010-09-13 06:11:35 0 d-----w- C:\Cems Data Properties
    2010-09-06 14:36:33 0 d-----w- c:\programdata\Sun
    2010-09-06 14:36:11 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-03 05:27:40 1152 ----a-w- c:\windows\system32\windrv.sys
    2010-09-03 05:27:29 0 d-----w- c:\program files\SpyNoMore
    2010-08-27 16:23:34 0 d-----w- C:\389294be31a859d6fb

    ==================== Find3M ====================

    2010-06-26 06:05:49 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-26 06:02:15 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-06-26 06:02:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-06-26 04:25:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-06-21 13:18:15 2036736 ----a-w- c:\windows\system32\win32k.sys
    2010-04-26 15:29:12 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-04-26 15:29:12 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-04-10 05:01:19 86016 ----a-w- c:\windows\inf\infstor.dat
    2008-08-09 15:41:51 174 --sha-w- c:\program files\desktop.ini
    2008-08-09 15:32:38 665600 ----a-w- c:\windows\inf\drvindex.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2008-07-04 04:57:45 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
    2008-07-04 04:57:45 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008070320080704\index.dat
    2007-08-28 22:42:49 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 18:15:30.69 ===============
     
  4. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    ====

    Please do the following in the order given;

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!

    ======================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  5. preston67

    preston67 TS Rookie Topic Starter

    ComboFix:

    ComboFix 10-09-17.04 - owner 09/18/2010 7:46.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1147 [GMT -7:00]
    Running from: c:\users\owner\Desktop\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}
    c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\chrome.manifest
    c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\chrome\content\_cfg.js
    c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\chrome\content\overlay.xul
    c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\install.rdf
    c:\users\owner\AppData\Local\Windows Server
    c:\users\owner\AppData\Local\Windows Server\flags.ini
    c:\users\owner\AppData\Local\Windows Server\server.dat
    c:\users\owner\AppData\Local\Windows Server\uses32.dat
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\images
    c:\windows\system32\images\toolbar\calendar.gif
    c:\windows\system32\images\toolbar\crlogo.gif
    c:\windows\system32\images\toolbar\export.gif
    c:\windows\system32\images\toolbar\export_over.gif
    c:\windows\system32\images\toolbar\exportd.gif
    c:\windows\system32\images\toolbar\First.gif
    c:\windows\system32\images\toolbar\first_over.gif
    c:\windows\system32\images\toolbar\Firstd.gif
    c:\windows\system32\images\toolbar\gotopage.gif
    c:\windows\system32\images\toolbar\gotopage_over.gif
    c:\windows\system32\images\toolbar\gotopaged.gif
    c:\windows\system32\images\toolbar\grouptree.gif
    c:\windows\system32\images\toolbar\grouptree_over.gif
    c:\windows\system32\images\toolbar\grouptreed.gif
    c:\windows\system32\images\toolbar\grouptreepressed.gif
    c:\windows\system32\images\toolbar\Last.gif
    c:\windows\system32\images\toolbar\last_over.gif
    c:\windows\system32\images\toolbar\Lastd.gif
    c:\windows\system32\images\toolbar\Next.gif
    c:\windows\system32\images\toolbar\next_over.gif
    c:\windows\system32\images\toolbar\Nextd.gif
    c:\windows\system32\images\toolbar\Prev.gif
    c:\windows\system32\images\toolbar\prev_over.gif
    c:\windows\system32\images\toolbar\Prevd.gif
    c:\windows\system32\images\toolbar\print.gif
    c:\windows\system32\images\toolbar\print_over.gif
    c:\windows\system32\images\toolbar\printd.gif
    c:\windows\system32\images\toolbar\Refresh.gif
    c:\windows\system32\images\toolbar\refresh_over.gif
    c:\windows\system32\images\toolbar\refreshd.gif
    c:\windows\system32\images\toolbar\Search.gif
    c:\windows\system32\images\toolbar\search_over.gif
    c:\windows\system32\images\toolbar\searchd.gif
    c:\windows\system32\images\toolbar\up.gif
    c:\windows\system32\images\toolbar\up_over.gif
    c:\windows\system32\images\toolbar\upd.gif
    c:\windows\system32\images\tree\begindots.gif
    c:\windows\system32\images\tree\beginminus.gif
    c:\windows\system32\images\tree\beginplus.gif
    c:\windows\system32\images\tree\blank.gif
    c:\windows\system32\images\tree\blankdots.gif
    c:\windows\system32\images\tree\dots.gif
    c:\windows\system32\images\tree\lastdots.gif
    c:\windows\system32\images\tree\lastminus.gif
    c:\windows\system32\images\tree\lastplus.gif
    c:\windows\system32\images\tree\Magnify.gif
    c:\windows\system32\images\tree\minus.gif
    c:\windows\system32\images\tree\minusbox.gif
    c:\windows\system32\images\tree\plus.gif
    c:\windows\system32\images\tree\plusbox.gif
    c:\windows\system32\images\tree\singleminus.gif
    c:\windows\system32\images\tree\singleplus.gif

    Infected copy of c:\windows\system32\wininit.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

    Infected copy of c:\windows\system32\wininit.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
    .

    2010-09-18 14:58 . 2010-09-18 15:30 -------- d-----w- c:\users\owner\AppData\Local\temp
    2010-09-18 14:58 . 2010-09-18 14:58 -------- d-----w- c:\users\KNOWN~1\AppData\Local\temp
    2010-09-18 14:58 . 2010-09-18 14:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-09-18 14:58 . 2010-09-18 14:58 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-17 06:41 . 2010-09-17 06:41 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
    2010-09-17 06:40 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-17 06:40 . 2010-09-17 06:40 -------- d-----w- c:\programdata\Malwarebytes
    2010-09-17 06:40 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-17 06:40 . 2010-09-17 06:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-17 05:17 . 2010-09-17 05:25 680 ----a-w- c:\users\owner\AppData\Local\d3d9caps.dat
    2010-09-17 01:34 . 2010-09-18 06:36 -------- d-----w- C:\cleanup
    2010-09-16 14:03 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-09-15 09:39 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
    2010-09-15 09:39 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-15 09:39 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
    2010-09-15 09:39 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
    2010-09-13 06:11 . 2010-09-13 06:11 -------- d-----w- C:\Cems Data Properties
    2010-09-06 14:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-03 05:27 . 2010-09-03 05:27 1152 ----a-w- c:\windows\system32\windrv.sys
    2010-09-03 05:27 . 2010-09-17 04:48 -------- d-----w- c:\program files\SpyNoMore
    2010-08-27 16:23 . 2010-08-27 16:23 -------- d-----w- C:\389294be31a859d6fb

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 06:23 . 2010-04-13 00:44 241 ----a-w- c:\users\owner\tsMS.reg
    2010-09-17 07:07 . 2007-08-28 21:50 12 ----a-w- c:\windows\bthservsdp.dat
    2010-09-17 06:49 . 2010-06-02 22:03 -------- d-----w- c:\users\owner\AppData\Roaming\Wubir
    2010-09-15 11:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-09-14 06:04 . 2008-09-03 05:00 -------- d-----w- c:\program files\KEPServerEx
    2010-09-14 05:58 . 2008-06-17 05:33 -------- d-----w- c:\program files\ETI
    2010-09-06 14:36 . 2007-08-28 22:40 -------- d-----w- c:\program files\Common Files\Java
    2010-09-06 14:36 . 2007-08-28 22:40 -------- d-----w- c:\program files\Java
    2010-09-06 10:26 . 2008-06-21 06:10 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-08-27 17:08 . 2010-08-17 06:01 120 ----a-w- c:\users\owner\AppData\Local\Ptepepovaxesa.dat
    2010-08-27 17:08 . 2010-08-17 06:01 0 ----a-w- c:\users\owner\AppData\Local\Dnaranofowa.bin
    2010-08-26 19:07 . 2010-06-16 03:43 -------- d-----w- c:\program files\Verizon
    2010-08-18 05:20 . 2010-08-15 04:07 -------- d-----w- c:\program files\McAfee Security Scan
    2010-08-17 04:45 . 2010-08-08 03:56 -------- d-----w- c:\users\owner\AppData\Roaming\Ipfey
    2010-08-15 04:07 . 2010-08-15 04:07 -------- d-----w- c:\programdata\McAfee Security Scan
    2010-07-29 04:39 . 2010-04-10 07:01 -------- d-----w- c:\program files\McAfee
    2010-07-15 22:18 . 2010-04-10 07:01 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-06-26 06:05 . 2010-09-16 13:49 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-26 06:02 . 2010-09-16 13:49 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-06-26 06:02 . 2010-09-16 13:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-06-26 04:25 . 2010-09-16 13:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-06-21 13:18 . 2010-08-12 03:07 2036736 ----a-w- c:\windows\system32\win32k.sys
    2007-08-28 22:42 . 2007-08-28 22:16 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
    "PC Hardware Manager"="c:\program files\PC Hardware Manager\PCHardwareManager.exe" [2006-11-23 469504]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1261568]
    "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-25 90191]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-25 81920]
    "snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
    "VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]
    "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-6-22 739880]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]

    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Preload.lnk - c:\hp\bin\HPUtilCK.exe [2007-8-28 61440]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2007-05-04 858112]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 SDActMon;SDActMon;c:\program files\SpywareDetector\SDActMon.sys [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
    S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [2009-11-18 668912]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
    S3 asusledbt;ASUS Bluetooth LED Device Driver;c:\windows\system32\DRIVERS\asusledbt.sys [2006-10-03 24880]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-05-17 28464]
    S3 CFXPDisplayName;CFXPDisplayName;c:\windows\system32\DRIVERS\CFACPI.sys [2006-10-24 7680]
    S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-04-18 366080]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 19:22]

    2010-09-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 19:22]

    2010-09-17 c:\windows\Tasks\User_Feed_Synchronization-{BA7A0505-FF05-49E9-B716-0D5F8133CC87}.job
    - c:\windows\system32\msfeedssync.exe [2010-09-16 04:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
    Trusted Zone: att.com\*.vpn
    Trusted Zone: att.com\www.e-access
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://cassl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://cassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
    FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\b82lmtqd.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
    FF - plugin: c:\users\owner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    HKLM-Run-SDActiveMonitor - c:\program files\SpywareDetector\SDActiveMonitor.exe
    AddRemove-MegaTune 2.25_is1 - c:\program files\MegaSquirt\MegaTune2.25\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-18 08:33
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(4704)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\system32\btmmhook.dll
    c:\windows\system32\btncopy.dll
    c:\program files\Microsoft Virtual PC\VPCShExH.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\schtasks.exe
    c:\windows\System32\rundll32.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Flip Video\FlipShare\FlipShareService.exe
    c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\lkcitdl.exe
    c:\windows\system32\lkads.exe
    c:\windows\system32\lktsrv.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\windows\system32\rundll32.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\National Instruments\Shared\Security\nidmsrv.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\system32\WUDFHost.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-18 08:40:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-09-18 15:40

    Pre-Run: 362,824,163,328 bytes free
    Post-Run: 362,861,932,544 bytes free

    - - End Of File - - 408C258DC94F39E93E641E1B2A1CA092
     
  6. preston67

    preston67 TS Rookie Topic Starter

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 1 (build 6001), 32-bit
    Base Board Manufacturer: ASUSTeK Computer INC.
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: HP-Pavilion
    System Product Name: GN583AA-ABA IQ775
    Logical Drives Mask: 0x0000007c

    Kernel Drivers (total 162):
    0x82015000 \SystemRoot\system32\ntkrnlpa.exe
    0x823CE000 \SystemRoot\system32\hal.dll
    0x80401000 \SystemRoot\system32\kdcom.dll
    0x80409000 \SystemRoot\system32\PSHED.dll
    0x8041A000 \SystemRoot\system32\BOOTVID.dll
    0x80422000 \SystemRoot\system32\CLFS.SYS
    0x80463000 \SystemRoot\system32\CI.dll
    0x80543000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x805BF000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8060F000 \SystemRoot\system32\drivers\acpi.sys
    0x80655000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x8065E000 \SystemRoot\system32\drivers\msisadrv.sys
    0x80666000 \SystemRoot\system32\drivers\pci.sys
    0x8068D000 \SystemRoot\System32\drivers\partmgr.sys
    0x8069C000 \SystemRoot\system32\drivers\volmgr.sys
    0x806AB000 \SystemRoot\System32\drivers\volmgrx.sys
    0x806F5000 \SystemRoot\system32\drivers\pciide.sys
    0x806FC000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x8070A000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8071A000 \SystemRoot\system32\drivers\atapi.sys
    0x80722000 \SystemRoot\system32\drivers\ataport.SYS
    0x80740000 \SystemRoot\system32\drivers\nvstor32.sys
    0x8075D000 \SystemRoot\system32\drivers\storport.sys
    0x8079E000 \SystemRoot\system32\drivers\fltmgr.sys
    0x807D0000 \SystemRoot\system32\drivers\fileinfo.sys
    0x807E0000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x8260D000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8267E000 \SystemRoot\system32\drivers\ndis.sys
    0x82789000 \SystemRoot\system32\drivers\msrpc.sys
    0x827B4000 \SystemRoot\system32\drivers\NETIO.SYS
    0x87C0A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x87D19000 \SystemRoot\system32\drivers\volsnap.sys
    0x87D52000 \SystemRoot\System32\Drivers\spldr.sys
    0x87D5A000 \SystemRoot\System32\Drivers\mup.sys
    0x87D69000 \SystemRoot\System32\drivers\ecache.sys
    0x87D90000 \SystemRoot\system32\drivers\disk.sys
    0x87DA1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x87DC2000 \SystemRoot\system32\drivers\crcdisk.sys
    0x827EE000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x87C00000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x807E9000 \SystemRoot\system32\DRIVERS\amdk8.sys
    0x8BC0B000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x8C04B000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8C0EA000 \SystemRoot\System32\drivers\watchdog.sys
    0x8C0F7000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x8C101000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8C13F000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8C14E000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8C166000 \SystemRoot\system32\drivers\hcw18bda.sys
    0x8C1C0000 \SystemRoot\system32\drivers\ks.sys
    0x8C1EA000 \SystemRoot\system32\drivers\BdaSup.SYS
    0x8C1ED000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x80600000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x805CC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8C208000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
    0x8C30B000 \SystemRoot\system32\DRIVERS\CFACPI.sys
    0x8C313000 \SystemRoot\system32\DRIVERS\VMNetSrv.sys
    0x8C322000 \SystemRoot\system32\DRIVERS\dne2000.sys
    0x8C340000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8C36E000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8C379000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8C390000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8C39B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8C3BE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8C3CD000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8C3E1000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x805DE000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8BC00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x82600000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8C3F6000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x805EE000 \SystemRoot\system32\DRIVERS\circlass.sys
    0x8C607000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8C611000 \SystemRoot\system32\DRIVERS\asusledbt.sys
    0x8C61B000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8C628000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8C65C000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8C66D000 \SystemRoot\system32\drivers\ADIHdAud.sys
    0x8C6C7000 \SystemRoot\system32\drivers\portcls.sys
    0x8C6F4000 \SystemRoot\system32\drivers\drmk.sys
    0x8C719000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8C722000 \SystemRoot\System32\Drivers\Null.SYS
    0x8C729000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8C739000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x8C740000 \SystemRoot\System32\drivers\vga.sys
    0x8C74C000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8C76D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8C775000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8C77D000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8C788000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8C796000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x90C0F000 \SystemRoot\System32\drivers\tcpip.sys
    0x90CF8000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x90D13000 \SystemRoot\System32\Drivers\Mpfp.sys
    0x90D3C000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x90D52000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
    0x90D64000 \SystemRoot\system32\DRIVERS\smb.sys
    0x90D78000 \SystemRoot\system32\drivers\afd.sys
    0x90DC0000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8C79F000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x90DF2000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8C7B5000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x90E0C000 \??\C:\Windows\system32\Drivers\vmm.sys
    0x90E47000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x90E83000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x90E8D000 \SystemRoot\system32\drivers\mfehidk.sys
    0x90EC0000 \SystemRoot\System32\Drivers\dfsc.sys
    0x90ED7000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x90EE0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x90EF0000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x90EF2000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x90EFF000 \SystemRoot\System32\Drivers\dump_diskdump.sys
    0x90F09000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
    0x90F26000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x90F2E000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x90F40000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x9A4B0000 \SystemRoot\System32\win32k.sys
    0x90F49000 \SystemRoot\System32\drivers\Dxapi.sys
    0x90F53000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x90F6A000 \SystemRoot\system32\DRIVERS\usbcir.sys
    0x90F80000 \SystemRoot\system32\DRIVERS\hidir.sys
    0x90F8B000 \SystemRoot\System32\Drivers\BTHUSB.sys
    0x90F97000 \SystemRoot\System32\Drivers\bthport.sys
    0x90FD1000 \SystemRoot\system32\DRIVERS\rfcomm.sys
    0x90FE2000 \SystemRoot\system32\DRIVERS\BthEnum.sys
    0x8C7C8000 \SystemRoot\system32\DRIVERS\bthpan.sys
    0x80C0A000 \SystemRoot\system32\drivers\btwavdt.sys
    0x80C77000 \SystemRoot\system32\drivers\btwaudio.sys
    0x80CF3000 \SystemRoot\system32\DRIVERS\btwl2cap.sys
    0x80CFD000 \SystemRoot\system32\DRIVERS\btwrchid.sys
    0x80D00000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x9A6D0000 \SystemRoot\System32\TSDDD.dll
    0x9A6F0000 \SystemRoot\System32\cdd.dll
    0x80D0F000 \SystemRoot\system32\drivers\luafv.sys
    0x80D32000 \SystemRoot\system32\drivers\spsys.sys
    0x80DE1000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x87DCB000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x80DF1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x90FEC000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x9F80A000 \SystemRoot\system32\drivers\HTTP.sys
    0x9F877000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x9F894000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9F8AD000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9F8C2000 \SystemRoot\system32\drivers\mrxdav.sys
    0x9F8E2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9F901000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x9F93A000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9F952000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9F979000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA0607000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0xA095A000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xA0967000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0xA0986000 \SystemRoot\System32\Drivers\cvintdrv.SYS
    0xADE0D000 \SystemRoot\system32\drivers\peauth.sys
    0xADEEB000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xADEF5000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xADF01000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0xADF16000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
    0xADF28000 \SystemRoot\system32\drivers\mfebopk.sys
    0xADF2F000 \SystemRoot\system32\drivers\mfeavfk.sys
    0xADF41000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0xADF57000 \SystemRoot\system32\drivers\mfesmfk.sys
    0x76E70000 \Windows\System32\ntdll.dll

    Processes (total 94):
    0 System Idle Process
    4 System
    416 C:\Windows\System32\smss.exe
    548 csrss.exe
    612 C:\Windows\System32\wininit.exe
    628 csrss.exe
    660 C:\Windows\System32\services.exe
    672 C:\Windows\System32\lsass.exe
    680 C:\Windows\System32\lsm.exe
    828 C:\Windows\System32\svchost.exe
    888 C:\Windows\System32\svchost.exe
    920 C:\Windows\System32\svchost.exe
    976 C:\Windows\System32\svchost.exe
    1008 C:\Windows\System32\svchost.exe
    1024 C:\Windows\System32\svchost.exe
    1084 C:\Windows\System32\winlogon.exe
    1156 C:\Windows\System32\audiodg.exe
    1180 C:\Windows\System32\svchost.exe
    1196 C:\Windows\System32\SLsvc.exe
    1248 C:\Windows\System32\svchost.exe
    1348 C:\Windows\System32\svchost.exe
    1372 C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    1608 C:\Windows\System32\spoolsv.exe
    1632 C:\Windows\System32\svchost.exe
    2024 C:\Windows\System32\taskeng.exe
    268 C:\Windows\System32\dwm.exe
    436 C:\Windows\explorer.exe
    1512 C:\hp\support\hpsysdrv.exe
    1676 C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    1964 C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
    2016 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    316 C:\Windows\System32\schtasks.exe
    720 C:\Program Files\Analog Devices\Core\smax4pnp.exe
    1708 C:\Windows\vsnp2uvc.exe
    2020 C:\Windows\System32\rundll32.exe
    1432 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1840 C:\Program Files\McAfee.com\Agent\mcagent.exe
    1824 C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
    1852 C:\Program Files\Verizon\McciTrayApp.exe
    1868 C:\Program Files\Windows Sidebar\sidebar.exe
    1016 C:\Windows\ehome\ehtray.exe
    1800 C:\Program Files\Windows Media Player\wmpnscfg.exe
    1820 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    2064 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    2072 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    2080 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    2192 C:\Windows\ehome\ehmsas.exe
    2664 C:\Windows\System32\svchost.exe
    2696 C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    2732 C:\Windows\System32\svchost.exe
    2860 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2916 C:\Windows\System32\lkcitdl.exe
    2964 C:\Windows\System32\lkads.exe
    2976 C:\Windows\System32\lktsrv.exe
    2988 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    3020 C:\Program Files\Common Files\Motive\McciCMService.exe
    3084 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    3168 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
    3180 C:\Windows\System32\rundll32.exe
    3240 C:\Program Files\Common Files\microsoft shared\VS7Debug\mdm.exe
    3292 C:\Program Files\McAfee\MPF\MpfSrv.exe
    3320 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    3336 C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
    3404 C:\Windows\System32\svchost.exe
    3428 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    3456 C:\Program Files\Verizon\VSP\ServicepointService.exe
    3520 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    3596 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    3664 C:\Windows\System32\svchost.exe
    3808 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    3872 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    3980 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
    4020 C:\Windows\System32\svchost.exe
    4048 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    1976 C:\Windows\System32\SearchIndexer.exe
    2616 WUDFHost.exe
    1624 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    3976 unsecapp.exe
    3924 WmiPrvSE.exe
    2256 C:\Program Files\Windows Media Player\wmpnetwk.exe
    1808 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    4172 WmiPrvSE.exe
    5468 C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
    5544 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
    5712 C:\Windows\System32\taskeng.exe
    5840 C:\Program Files\Mozilla Firefox\firefox.exe
    4116 C:\Windows\System32\SearchProtocolHost.exe
    4508 C:\Windows\System32\SearchFilterHost.exe
    5392 C:\Program Files\Mozilla Firefox\plugin-container.exe
    5828 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    5928 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
    1296 C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
    5012 C:\Windows\explorer.exe
    4752 C:\cleanup\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000072`2ab58000 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHD501LJ, Rev: CR10

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
    SHA1: 161E5DF10EB9B6EAC4AA8DF99305EF77B11BEBD8


    Done!
     
  7. crunchie

    crunchie Malware Helper Posts: 728

    Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

    c:\windows\system32\windrv.sys

    =============

    Are you still being re-directed?
     
  8. preston67

    preston67 TS Rookie Topic Starter

    My apologies I posted earlier thank you very much and that the problem was solved, but I never pressed submit on my post - it was sitting here unposted when I got back to the computer tonight.

    Virus Total said 0/43 hits on windrv.sys, no indications of a problem.

    Problem does appear to be solved, thank you crunchie and TechSpot forums, you guys are really doing a great service here.
     
  9. crunchie

    crunchie Malware Helper Posts: 728

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC by OldTimer:
    Save it to your Desktop.
    Double click OTC.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

    ===========

    You are welcome :).
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...